Security researchers Noam Rotem and Ran Locar discovered 845GB of private data from several niche dating apps on May 24, according to Wired. The developer for apps like 3somes, Herpes Dating, and SugarD stored data in Amazon Web Services “buckets,” but left it accessible to the public. Rotem and Locar reached out to 3somes two days later, received a brief response, and the buckets were promptly locked down. Their report was published on Monday and estimates hundred of thousands — potentially millions — of users’ data was compromised.
A silver platter of data — Though traditional hack data like emails or passwords weren’t exposed, a variety of files held sensitive information. In addition to explicit media, researchers found screenshots of messages that revealed information like financial transactions, photos showing users’ faces, and other content that disclosed their names. Doxxing is always a harmful possibility when information like this isn’t adequately protected, but this adds another layer of concern for those with stigmatized STI statuses.
"We were amazed by the size and how sensitive the data was," Locar told Wired. "The risk of doxing [sic] that exists with this kind of thing is very real — extortion, psychological abuse. As a user of one of these apps you don’t expect that others outside the app would be able to see and download the data."
One developer, many sites — The researchers posit developer “Cheng Du New Tech Zone” is at the center of the negligent data storage for several alternative dating apps. Some apps list this developer while others' websites share clear visual similarities in design.
Unfortunately, there isn’t much recourse for users of these apps other than hoping their information wasn’t already pulled by bad actors. The cloud infrastructure is now safe(r) from prying eyes, but there’s no way to know how long this data was unprotected. The moral of the story? Keep your face and other identifiable information out of your racy pictures... and never trust a third-party app with sensitive information. If you're going to sext, maybe keep it to Signal or other end-to-end secured messaging services?